6,10 → 6,10 |
# |
# Reminders |
# There are four channels for log : |
# 1 tracability with The 'Netflow' kernel module (iptables target = NETFLOW); |
# 1 tracability of the consultation equipment with The 'Netflow' kernel module (iptables target = NETFLOW); |
# 2 protection of ALCASAR with the Ulog group 1 (default group) |
# 3 SSH with the ulog group 2; |
# 4 extern access attempts with the ulog group 3. |
# 3 SSH on ALCASAR with the Ulog group 2; |
# 4 extern access attempts on ALCASAR with the Ulog group 3. |
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova |
conf_file="/usr/local/etc/alcasar.conf" |
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2` |
29,7 → 29,7 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off} |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off) |
DNS_FILTERING=${DNS_FILTERING:=off} |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP |
BL_IP_CAT="/usr/local/share/iptables-bl" # categories files of the BlackListed IP |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off) |
QOS=${QOS:=off} |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off) |
76,8 → 76,8 |
# destroy all the SET |
ipset destroy |
|
# Création du SET alcasar_ip_blocked et premier peuplement |
# creation of alcasar_ip_blocked SET and first populating |
# Création et peuplement du SET alcasar_ip_blocked |
# creation and first populating of alcasar_ip_blocked SET |
ipset create alcasar_ip_blocked hash:net hashsize 1024 |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then |
while read ip_line |
86,12 → 86,40 |
if [ $ip_on != "#" ] |
then |
ip_blocked=`echo $ip_line|cut -d" " -f1` |
echo $ip_blocked |
ipset add alcasar_ip_blocked $ip_blocked |
fi |
done < /usr/local/etc/alcasar-ip-blocked |
fi |
|
# Création et initialisation du SET authenticated_ip (dynamiquement peuplé par les scripts conup/condown) |
# creation and initialization of authenticated_ip_ SET (populated dynamicly by conup/condown scripts) |
ipset create authenticated_ip hash:net hashsize 1024 |
OLDIFS=$IFS |
IFS=$'\n' |
for equipment in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"` |
do |
active_ip=`echo $equipment |cut -d" " -f2` |
active_session=`echo $equipment |cut -d" " -f5` |
if [[ $(expr $active_session) -eq 1 ]] |
then |
ipset add authenticated_ip $active_ip |
fi |
done |
IFS=$OLDIFS |
|
# Création et peuplement du SET blacklist_ip_blocked |
# creation and first populating of blacklist_ip_blocked SET |
# wait for a better blacklist adapt process |
#ipset create blacklist_ip_blocked hash:net hashsize 1024 |
#cd $BL_IP_CAT |
#for category in `ls -1 | cut -d"@" -f1` |
#do |
# while read ip_blocked |
# do |
# ipset add blacklist_ip_blocked $ip_blocked |
# done < $BL_IP_CAT/$category |
#done |
|
############################# |
# PREROUTING # |
############################# |
121,10 → 149,20 |
fi |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54 |
fi |
# Redirection des requêtes HTTP des IP bloquées vers ALCASAR (page 'accès interdit') |
# Redirect HTTP requests of banned ip to ALCASAR (access deny window) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
# Redirection des requêtes HTTP des IP admin bannies vers ALCASAR (page 'accès interdit') |
# Redirect HTTP requests of admin banned ip to ALCASAR (access deny window) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port http |
|
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') |
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window) |
#if [ $DNS_FILTERING = on ]; then |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
#fi |
|
# Redirection des requêtes HTTPS des IP sans utilisateurs authentifiés vers ALCASAR (page d'interception) |
# Redirect HTTPS requests of IP that don't have authenticate user to ALCASAR (intercept page) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set ! --match-set authenticated_ip src ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port https |
|
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT " |
230,26 → 268,16 |
|
# Blocage des IPs du SET alcasar_ip_blocked |
# Deny IPs of the SET alcasar_ip_blocked |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset |
|
# Si le filtrage de domain est activé, blocage des IP de la BL |
# If DNS filter is on, reject IP of BL |
# Comment : loading time is too long and iptables should become oveloaded !!! should use "ipset" instead |
# Blocage des IPs du SET blacklist_ip_blocked |
# Deny IPs of the SET blacklist_ip_blocked |
#if [ $DNS_FILTERING = on ]; then |
# cd $BL_IP_CAT |
# for category in `ls -1 | cut -d"@" -f1` |
# do |
# while read ip_blocked |
# do |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT " |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p udp -j REJECT --reject-with icmp-port-unreachable |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset |
# done < $BL_IP_CAT/$category |
# done |
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable |
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset |
#fi |
|
# Autorisation des retours de connexions légitimes |